Heap-based Buffer Overflow in vim/vim
Description
Vim versions prior to 8.2.3564 contain a heap-based buffer overflow in the screen update logic when scrolling in ex mode, potentially leading to memory corruption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vim versions prior to 8.2.3564 contain a heap-based buffer overflow in the screen update logic when scrolling in ex mode, potentially leading to memory corruption.
Vulnerability
CVE-2021-3903 is a heap-based buffer overflow in Vim, affecting versions before the patch 8.2.3564. The vulnerability resides in the screen update logic when scrolling in ex mode, specifically when w_botline is invalid [2]. The bug can be triggered by executing certain commands (e.g., diffsplit followed by norm os0\x030(\x04) in ex mode, as demonstrated in the test case added by the fix [2].
Exploitation
An attacker can exploit this vulnerability by crafting a file or a sequence of Vim commands that cause scrolling in ex mode with an invalid screen state. The attacker does not require authentication but relies on the victim opening the malicious file or executing the crafted commands. The exploit path is reachable when Vim is run with -e (ex mode) and -s (script) options, as shown in the test [2].
Impact
Successful exploitation of the heap-based buffer overflow can lead to memory corruption, potentially resulting in a denial of service (crash) or arbitrary code execution in the context of the Vim process. The impact is limited to the privileges of the user running Vim, but could be elevated if Vim is configured to run with higher privileges (e.g., for editing system files) [1].
Mitigation
The vulnerability is fixed in Vim version 8.2.3564, released on October 4, 2021 [2]. Users should update to this version or later. As a workaround, avoid opening untrusted files in ex mode or running Vim scripts from untrusted sources. No official workaround other than patching has been published.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
42- osv-coords40 versionspkg:rpm/almalinux/vim-commonpkg:rpm/almalinux/vim-enhancedpkg:rpm/almalinux/vim-filesystempkg:rpm/almalinux/vim-minimalpkg:rpm/almalinux/vim-X11pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/vim&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/vim&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/vim&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 2:8.2.2637-21.el9+ 39 more
- (no CPE)range: < 2:8.2.2637-21.el9
- (no CPE)range: < 2:8.2.2637-21.el9
- (no CPE)range: < 2:8.2.2637-21.el9
- (no CPE)range: < 2:8.2.2637-21.el9
- (no CPE)range: < 2:8.2.2637-21.el9
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Invalid `w_botline` value during scrolling in Ex mode leads to heap-based buffer overflow."
Attack vector
An attacker can trigger the heap-based buffer overflow by crafting a file that, when opened in Vim's Ex mode (`-e`), causes the editor to scroll using control characters (e.g., `0x03`, `0x28`, `0x04`) while a `diffsplit` window is active [ref_id=1]. The invalid `w_botline` value leads to out-of-bounds memory access during screen redraw. No authentication is required beyond the victim opening the malicious file with Vim.
Affected code
The vulnerability resides in Vim's screen update logic, specifically in how `w_botline` is handled when scrolling in Ex mode. The patch adds a test (`Test_scroll_in_ex_mode`) that reproduces the invalid memory access by using `diffsplit` and control characters (`0x03`, `0x28`, `0x04`) in Ex mode, which caused `w_botline` to become invalid and led to a heap-based buffer overflow [ref_id=1].
What the fix does
The commit [ref_id=1] adds a regression test (`Test_scroll_in_ex_mode`) that reproduces the crash scenario using `diffsplit` and control characters in Ex mode. While the diff shown is primarily whitespace/style changes and the new test, the test itself validates that the invalid memory access no longer occurs. The underlying fix (not fully visible in this diff excerpt) ensures `w_botline` is properly validated before being used in scroll operations, preventing the heap-based buffer overflow.
Preconditions
- inputThe victim must open a crafted file in Vim's Ex mode (`-e`) or via a script that triggers the scrolling sequence.
- inputThe file must contain control characters (0x03, 0x28, 0x04) and a `diffsplit` command to trigger the invalid `w_botline` state.
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BN4EX7BPQU7RP6PXCNCSDORUZBXQ4JUH/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DU26T75PYA3OF7XJGNKMT2ZCQEU4UKP5/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNXY7T5OORA7UJIMGSJBGHFMU6UZWS6P/mitrevendor-advisoryx_refsource_FEDORA
- www.openwall.com/lists/oss-security/2022/01/15/1mitremailing-listx_refsource_MLIST
- github.com/vim/vim/commit/777e7c21b7627be80961848ac560cb0a9978ff43mitrex_refsource_MISC
- huntr.dev/bounties/35738a4f-55ce-446c-b836-2fb0b39625f8mitrex_refsource_CONFIRM
- lists.debian.org/debian-lts-announce/2022/06/msg00014.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.